[PDF] Responding to a Cardholder Data Breach

View - Download Responding to a Cardholder Data Breach

Previous PDF

Next PDF

© 2020 PCI Security Standards Council LLC.

www.pcisecuritystandards.org 1

GUIDANCE

Responding to a Cardholder Data Breach

PREPARATION FOR DATA BREACH MANAGEMENTImplement an Incident Response Plan Y our organization should ensure that effective incident-management controls are in place. PCI DSS Requirement 12.10 is essential in this effort. It requires entities to "Implement an incident response plan. Be prepared to respond immediately to a system breach." Guidance in this PCI DSS requirement notes that this should be a "thorough incident response plan that is properly disseminated, read, and understood by the parties responsible." It should include proper testing exercises at least annually to ensure the process works as designed and to mitigate any missed steps to limit exposure.

Limit Data Exposure

Knowing how to limit data exposure and minimize data loss while preserving evidence is essential. For example, make sure you know how to isolate systems without simply powering them off. For more information about evidence preservation, see

Working ith our PFI

on page Be prepared to alert necessary parties immediately. Having a plan and ensuring current and accurate contact information for each party must be validated regularly.

This plan will include

payment card brands, acquirers (merchant banks), and any other entities that may require

Manage Third-Party Contracts

Make sure that all contracts with third-party service providers, hosting providers, integrators/

© 2020 PCI Security Standards Council LLC.

www.pcisecuritystandards.org 2

Guidance - Responding to a Cardholder Data Breachand reviewed, such as allowing your PFI access to the environments. Contracts should include

provisions to require the third party's cooperation and allow a PFI t o broaden the investigative scope to the third party if the third party is found to be the source of an event that impacted cardholder data security.

IDENTIFY A PFI

Some PFIs offer their services on retainer. You can consider such an agreement so that you have a

PFI company ready to call when you need it.

only by certain PFIs. Keep in mind that all PFIs are required to meet strict independence requirements to prevent services) cannot also be used for your PFI investigation.

ENGAGING A PFIWhen to Engage a PFI

If a cardholder data breach has occurred or is suspected, the payment brands may require an independent forensic investigation to be completed by a PFI listed on the PCI SSC website. Since acquirers and the payment brands each have their own rules and thresholds about when a PFI must be engaged, contact the acquirers or payment brands to make this determination. For

What to Expect

rom Your PFI acquirer yourself, you may be required to engage the services of a PFI. Understanding the role and how to engage a PFI is vital for successful incident management. Keep in mind the following

considerations when selecting a PFI:•PFIs are required to be independent of the entity under investigation. When choosing a PFI,

also a PFI, it cannot perform your investigation. Other forensic investigators (i.e., non-PFIs) or any other outside consultants (legal counsel, technical advisors, etc.) hired by or representing your company must not interfere with the PFI's investigation. The PFI must perform its own While it is common for the payment brands to ask the merchant to report detail s of theincident to the PFI, this report is intended only to provide the PFI with information to help assess what has already been completed, and is not intended to be part of the PFI's report. days of signing an agreement. Choose a PFI listed for the region(s) in which you think the breach has occurred. •The investigation will be supervised by a Lead Investigator and may be c

onducted remotely oronsite. If the investigation is remote, the PFI will give detailed instructions about how to handle

and transfer evidence securely for examination in the PFI's laborator y environment.

© 2020 PCI Security Standards Council LLC.

www.pcisecuritystandards.org

Guidance - Responding to a Cardholder Data Breach

determine the full scope of the investigation and the relevant sources of evidence.

•The PFI will perform extensive investigation and reporting to understand what happened. You can expect to receive a PFI Preliminary Report and a Final PFI Report (both on PCI SSC"smandatory reporting templates). These reports will also be provided to your acquirer (if youhave such a contract) and the affected payment brands.

•If a PIN data compromise is suspected, the PFI will also perform a PIN-security and key-What Support ill a PFI Provide?

prioritize containment and secure account data while preserving the integrity of evidence. These recommendations are intended to complement your internal incident response plan. It is important for the recommendations to be implemented as soon as possible to help reduce the risk of further data loss or further compromise. recommendations during the investigation process. It is important to begin implementing the PFI's

Working

ith Y our PFI T o complete a thorough and effective investigation, the PFI will require access to data, facilities, and people. This may also include access to third-party service providers who store, process, or transmit cardholder data on your behalf or who can otherwise affect the security of the cardholder data environment (for example, website hosting providers and web application vendors). When a breach occurs or is suspected, it is critical to preserve the evidence. It may be tempting generally try to recover as quickly as possible. However, careful preservation of evidence is vital both in isolating the root cause of the breach and in identifying the perpetrators. Because digital

evidence is easily contaminated, maintaining a strict chain of custody is crucial to achieving useful

investigation results.

Evidence Preservation

is, do not log onto the compromised system(s) or change passwords do not log in as ROOT, admin, etc.). To avoid losing critical data, it is highly recommended that the compromi sed system(s) not be used. Unless otherwise instructed by your PFI, do not turn the compromised system(s) off. Instead, isolate compromised systems(s) from the network (for example, unplug network cable or revoke/disable wireless access). Preserve all evidence and logs, such as original evidence, security events, web, database, in the collection and analysis process. Document all actions taken, including dates, times, and individuals involved.

© 2020 PCI Security Standards Council LLC.

www.pcisecuritystandards.org Guidance - Responding to a Cardholder Data BreachFacilities The PFI will determine what facilities must be visited or reviewed. It is important that the compromised entity understands access to the facilities may provide vita l insight into what happened. providers. Proactive work with these parties is important to ensure that a PFI has the needed access to the third-party site, whether physical or remote, to conduct the investigation.

People

honest, and understand the role of the PFI. The PFI is not there to assign blame. want to ascertain what happened and help the organization recover quickly.

Feedback

PFIs are required to provide their customers with a feedback form or refer them to the form available on the PCI SSC website) which is submit ted directly to PCI SSC. PFIs are subject to a quality-assurance program operated by PCI SSC, and all feedback is encouraged as input to this process.

STAKEHOLDER ROLES AND RESPONSIBILITIES

Role

Responsibility

ACQUIRING BANK

institution that establishes accounts for merchants, allowing the merchants the ability to accept payment cards.

Has contractual agreement with the merchant.

requirements for their merchants, including direct receipt of any validation documentation from the merchant.CARD BRANDS ensure merchants and service providers protect cardholder data according to the Payment

Card Industry Data Security Standard

program regarding merchants, service providers, etc.• Can require the PFI investigation.

•engages the PFI.

•statuscalls (can be irregular orregular). • Participates on investigation status calls •Takes roll call of all participants.

•Manages meeting agenda.

•Restates next steps.

•Can require the PFIinvestigation.

•Participates on investigationstatus calls.

(CONTINUED ON NEXT PAGE)

© 2020 PCI Security Standards Council LLC.

www.pcisecuritystandards.org 5

Guidance - Responding to a Cardholder Data Breach

INDEPENDENT SALES ORGANIZATION (ISO)

banks to establish and manage merchant accounts on behalf of the merchant banks.

ISOs may also be referred to as merchant

service providers or processor when they offer

May also manage PCI DSS compliance

programs on behalf of the merchant bank and establish the compliance validation

MERCHANT

•Can require the PFIinvestigation.

•the PFI.•status

calls (can be irregular or regular). • Participates on investigation status calls •Takes roll call of all participants. • Manages meeting agenda. • Restates next steps. call. • Depending on the results of the risk accounts for card brands.• Can initiate the PFI investigation. • Provides access and documentation to PFI of the cardholder data environment. •Participates on investigation status calls •Provide documentation or for information.

•Provide feedback on the PFI tothe PCI SSC.

PAYMENT CARD INDUSTRY SECURITY

STANDARDS COUNCIL (PCI SSC)

responsibility for management of payment card industry security standards including the

PCI Data Security Standard (PCI DSS), Payment

and PIN Transaction Security (PTS).

Manages the PCI Forensic Investigator (PFI)

program.

THIRD-PARTY AGENT/SERVICE PROVIDER

May offer processing services, technical

support services (including but not limited to network support, Point-of-Sale application support), e-commerce hosting services, call center services, etc.•Has oversight of the PFIprogram. •Does not receive, review, or have access to forensic reports. •Does not manage complianceprograms.• If required, provide documentation or to PFI. • If necessary, participates on investigation status calls

Responsibility

quotesdbs_dbs21.pdfusesText_27

[PDF] pci merchant level requirements

[PDF] pcpartpicker ram

[PDF] pct countries

[PDF] pct patent countries

[PDF] pcw recommended films

[PDF] pd day

[PDF] pda automata examples

[PDF] pdf accessibility checklist

[PDF] pdf accessibility guidelines

[PDF] pdf accessibility software

[PDF] pdf arabic font free download

[PDF] pdf barcode font free download

[PDF] pdf bbc bitesize

[PDF] pdf bbc learning

[PDF] pdf braille alphabet